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Mr.  Chairman  and  Members  of  the  Subcommittee: 


I  appreciate  the  opportunity  to  participate  in  today’s  hearing  on  homeland  security.  In 
the  wake  of  the  terrorism  attacks  of  September  11,  the  Office  of  Homeland  Security  is 
preparing  a  strategy  to  address  these  threats  to  our  nation.  In  addition,  federal,  state, 
and  local  governments,  and  the  private  sector,  are  taking  steps  to  strengthen  the  safety 
and  security  of  the  American  people,  including  actions  to  strengthen  border  and  port 
security,  airport  security,  and  health  and  food  security  and  to  protect  critical 
infrastructure.  You  asked  me  to  discuss  what  challenges  exist  in  facilitating  these 
security  initiatives-particularly  in  terms  of  technology  and  information  sharing — and 
how  addressing  these  challenges  fits  in  with  developing  and  implementing  a  national 
preparedness  strategy. 

In  brief,  there  are  specific  data,  information-sharing,  and  technology  challenges  facing 
the  country  in  developing  and  implementing  a  national  preparedness  strategy. 

.  The  nature  of  the  terrorist  threat  makes  it  difficult  to  identify  and  differentiate 

information  that  can  provide  an  early  indication  of  a  terrorist  threat  from  the  mass  of 
data  available  to  those  in  positions  of  authority  responsible  for  homeland  security. 

.  We  face  considerable  barriers — cultural,  legal,  and  technical-in  effectively  collecting 
and  sharing  information. 

.  Many  technologies  key  to  addressing  threats  are  not  yet  available,  and  many  existing 
technologies  have  not  been  effectively  adapted  for  the  threats  the  country  now  faces. 

The  real  challenge,  however,  is  not  just  to  find  the  right  solutions  to  each  of  these 
problems  but  to  weave  solutions  together  in  an  integrated  and  intelligent  fashion  so  that 
they  are  collectively  more  than  the  sum  of  their  parts.  At  the  national  level,  this  will 
require  developing  a  blueprint,  or  architectural  construct,  that  defines  both  the  homeland 
security  mission  and  the  information,  technologies,  and  approaches  necessary  to 
perform  the  mission  in  a  way  that  is  divorced  from  organizational  parochialism  and 
cultural  differences.  Local,  state,  and  federal  agencies  responsible  for  homeland 
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security  will  need  to  carry  out  their  respective  roles  under  this  construct  with  a  great 
deal  of  assistance  from  the  private  sector.  Fortunately,  there  are  starting  points  for 
addressing  each  challenge  and  actions  are  being  taken  to  strengthen  security  in  a  broad 
range  of  areas.  But  there  will  still  be  a  need  for  mechanisms  to  make  sure  that  things 
happen  as  they  should. 

In  preparing  for  this  testimony,  we  relied  on  our  prior  reports  and  testimonies  on 
national  preparedness,  critical  infrastructure  protection,  enterprise  architectures, 
intellectual  property,  and  information  technology.  We  reviewed  and  analyzed  studies  on 
homeland  security  and  a  variety  of  proposals  for  developing  a  comprehensive  strategy. 
We  also  analyzed  government  and  industry  reports  on  the  use  of  remote  sensing 
technologies,  media  reports  of  information-sharing  difficulties,  governmentwide 
guidance  on  the  development  of  architectures,  as  well  as  statements  from  the  Office  of 
Homeland  Security  on  the  actions  taken  to  address  homeland-specific  challenges.  In 
addition,  we  recently  discussed  with  industry  officials  the  specific  barriers  to  sharing 
information  on  vulnerabilities  and  attacks. 

THE  THREAT  THAT  THE  COUNTRY  IS  FACING  AND 
HOW  IT  NEEDS  TO  BE  POSITIONED  TO  RESPOND 

Our  country  cannot  be  100-percent  secure  from  terrorist  attack,  particularly  when  these 
threats  are  asymmetric  to  our  strengths,  and  when  terrorists  intend  to  sustain  their 
efforts  for  as  long  as  need  be  but  view  success  in  terms  of  single,  isolated  events  causing 
loss  of  life  or  disruption  of  normal  daily  routines.  What  makes  it  particularly  difficult  to 
gauge  and  respond  to  this  kind  of  threat? 

.  Terrorist  groups  are  typically  loosely  structured,  fluid  and  flexible  units,  operating  in 
the  background  seeking  targets  of  opportunity-what  futurist  Edith  Weiner  terms 
“hiborgs”  or  hybrid  organizations.  By  contrast,  our  government  is  highly  structured 
and  less  able  to  change  rapidly. 

.  Terrorists  groups  take  advantage  of  targets  becoming  complacent,  or  simply  being 
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unable  to  recognize  threats  that  “blend”  into  the  background  of  normal  life. 
Countering  this  complacency  and  sustaining  a  high  alert  status  on  our  part  is  very 
difficult. 

•  The  primary  job  of  the  terrorist  is  to  find  the  soft  spots,  or  vulnerabilities,  such  as  lax 
airport  security,  unprotected  borders,  or  weak  controls  over  critical  computer  assets- 
-and  to  attack  these  targets  in  asymmetric  ways.  Our  job — to  limit  the  soft  spots~is 
much  more  difficult  and  costly.  As  the  aftermath  of  the  September  1 1  attacks  has 
shown,  providing  airports  with  adequate  security  alone  is  a  massive  challenge- 
requiring  the  hiring  of  thousands  of  security  personnel,  acquiring  advanced  security 
technology,  placing  undercover  law  enforcement  officials  on  flights,  developing  new 
passenger  boarding  procedures,  training  pilots  and  flight  crews  on  hijacking 
scenarios,  limiting  access  points,  deploying  national  guardsmen,  and  instituting 
second  screening  procedures.  While  significant  steps  have  been  taken  to  improve 
passenger  security,  concerns  remain,  such  as  the  safety  of  charter  airlines. 

.  Moreover,  our  government  agencies  are  still  required  to  perform  missions  or  provide 
essential  public  services  that  extend  their  responsibilities  well  beyond  countering 
terrorists-with  finite  fiscal  and  human  capital  resources. 

It  is  extremely  difficult  to  defend  against  a  suicide  bomber  or  other  asymmetric  threats. 
Yet  we  are  not  helpless.  Asymmetry  can  also  be  made  to  work  to  our  advantage 
particularly  if  we  recognize  that  government  institutions  are  highly  structured  and  less 
fluid,  and  deliberately  take  advantage  of  innovative  and  readily  adaptable  tools  that 
enable  us  to  better  counter  terrorists  and  employ  our  positive  asymmetrical  advantages 
against  such  groups.  Moreover,  this  country  has  tremendous  resources  at  its  disposal, 
leading  edge  technologies,  a  superior  research  and  development  base,  and  extensive 
expertise  and  experience  of  human  capital  resources.  However,  there  are  substantial 
challenges  to  leveraging  these  tools,  including  getting  the  right  information  at  the  right 
time  and  sharing  it  and  getting  the  right  technologies,  and  developing  a  construct  that 
makes  sure  not  only  that  the  right  information  goes  to  the  right  people,  but  that  we  can 
prevent,  detect,  and  respond  to  attacks  in  a  concerted,  effective  manner. 
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DATA  CHALLENGES 


What  Needs  to  Be  Done? 

•  Develop  an  understanding  of  the  homeland  security  mission  and  who  does  what,  for  what 
reason,  and  how/where/when  they  do  it.  From  that  knowledge,  decide  on  the  types  of  data  to 
be  collected  and  reported  as  well  as  on  the  level  of  detail. 

•  Collect  needed  information  from  a  broad  range  of  entities — ^from  federal,  state,  and  local 
agencies,  the  private  sector,  and  the  research  and  development  community-not  just  once,  but 
consistently  over  time  so  that  trends  may  be  established. 

•  Determine  the  right  format  and  standards  for  collecting  data  so  that  disparate  agencies  can 
aggregate  and  integrate  data  and  communicate  those  standards  to  reporting  entities. 

•  Prioritize  data,  boil  it  down  to  the  pieces  that  can  be  used  to  build  baselines  of  normal  activity 
and  mechanisms  that  can  effectively  detect  deviations  or  anomalies  that  would  indicate 
vulnerabilities  or  threats  and  how  serious  they  may  be. 


Getting  the  right  information  needed  for  effective  and  sustainable  homeland  security  will 
be  a  daunting  challenge,  considering  the  myriad  of  possible  targets,  types  of  attack,  and 
variables  that  need  to  be  considered  in  any  one  aspect  of  homeland  security. 
Nevertheless  it  is  important  to  begin  deciding  what  needs  to  be  collected,  how  it  should 
be  collected,  and  what  form  it  should  take  so  that  we  can  begin  to  collect  data  that  we 
will  need  over  time  to  detect  terrorist  activity  before  an  actual  attack. 


The  first  challenge  in  doing  this  is  to  develop  an  understanding  of  the  homeland  security 
mission,  goals,  and  objectives,  and  the  key  activities  and  players  involved.^  This  includes 
learning  specifically  (1)  who  does  what  for  what  reason;  (2)  how,  where,  and  when  they 
do  it;  (3)  what  do  they  use  in  order  to  do  it;  and  (4)  in  what  form.  It  also  includes 
developing  risk  and  threat  analyses.  Building  this  knowledge  will  be  considerably 
difficult,  considering  the  number  of  individuals  and  organizations  involved  in  national 
preparedness  and  the  asymmetrical  nature  of  the  threat,  but  it  is  essential  to  identify 
gaps  in  data,  technology,  and  approaches. 


‘  We  plan  to  issue  a  report  on  the  need  to  define  the  homeland  security  mission  within  the  next  month. 
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Other  data-related  challenges  include  the  following: 


•  Deciding  what  types  of  data  need  to  be  collected  for  certain  activities  as 
well  as  the  level  of  detail.  This  can  be  extremely  complex  for  any  one  aspect  of 
national  preparedness.  Take  transportation  mobility,  for  example,  which  is  critical  in 
the  event  of  a  chemical,  biological,  or  nuclear  attack.  Road  network  information, 
when  combined  with  digital  elevation  models  and  terrain  analysis  would  help 
analysts  identify  transportation  or  other  infrastructure  open  to  threats  and  to  plan 
mitigating  strategies.  The  same  information  would  also  help  to  identify  alternate 
routing  to  evacuate  or  avoid  affected  areas.  Census  data  and  current  weather 
patterns  (winds,  temperature,  and  humidity)  would  allow  emergency  management 
officials  to  determine  which  areas  are  most  at  risk  and  plan  appropriate  evacuation 
routes  under  multiple  scenarios.  Finally,  any  large-scale  evacuation  will  stress 
emergency  facilities  and  other  transportation  network  elements.  As  immediate  post¬ 
attack  work  done  at  the  World  Trade  Center  illustrates,  real-time  aerial  data  can  also 
assist  clean-up  and  recovery  efforts.^ 

•  Balancing  varying  interests  and  expectations.  For  example,  as  we  have 
testified  in  the  past,  ®  when  it  comes  to  protecting  cyberspace,  the  private  sector  may 
want  specific  threat  or  vulnerability  information  so  that  immediate  actions  can  be 
taken  to  avert  an  intrusion.  Law  enforcement  agencies  may  want  specific 
information  on  perpetrators  and  particular  aspects  of  the  attack,  as  well  as  the  intent 
of  the  attack  and  the  consequences  of  or  damages  due  to  the  attack.  At  the  same 
time,  many  computer  security  professionals  may  want  the  technical  details  that 
enable  a  user  to  compromise  a  computer  system  in  order  to  determine  how  to  detect 
such  actions. 


^  See  Ray  A.  Williamson,  “Information  as  Security:  Remote  Sensing,  Transportation  Lifelines  and 
Homeland  Security,”  Space  Imaging,  (May/June  2002). 

^  See  U.S.  General  Accounting  Office,  Critical  Infrastructure  Protection:  Challenges  to  Building  a 
Comprehensive  Strategy  for  Information  Sharing  and  Coordination,  GAO/T-AIMD-00-268,  (Washington, 
D.C.:  July  26,  2000). 
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•  Deciding  how  much  is  enough.  It  is  important  to  recognize  that  it  is  not  possible 
to  build  an  overall,  comprehensive  picture  of  activity  on  a  national  scale  or  even 
certain  confines  of  activity.  For  example,  it  would  not  be  possible  to  develop  a 
complete  picture  of  the  nation’s  information  infrastructure.  Networks  themselves  are 
too  big,  they  are  growing  too  quickly,  and  they  are  continually  being  reconfigured  and 
reengineered. 

•  Determining  the  right  format  and  standards  for  collecting  data  so  that 
disparate  agencies  can  aggregate  and  integrate  data  sets.  For  example. 
Extensible  Markup  Language  (XML)  standards  could  be  considered  as  one  option  to 
exchange  information  among  disparate  systems.''  Further,  guidelines  and  procedures 
need  to  be  specified  to  establish  effective  data-collection  processes,  and  mechanisms 
need  to  be  put  in  place  to  make  sure  that  this  happens — again,  a  difficult  task,  given 
the  large  number  of  government,  private,  and  nonprofit  organizations  that  will  be 
involved  in  data  collection.  Finally,  mechanisms  will  be  needed  to  disseminate  data, 
making  sure  that  it  gets  into  the  hands  of  the  right  people  at  the  right  time. 

More  importantly,  to  make  sure  the  homeland  strategy  is  sustainable,  we  eventually  need 
to  boil  data  down  to  the  pieces  that  will  allow  us  to  build  baselines  of  normal  activity  and 
mechanisms  that  will  enable  us  to  effectively  detect  deviations  or  anomalies  that  would 
indicate  vulnerabilities  or  threats  and  how  serious  they  may  be.  This  is  already  done  on 
a  much  smaller  scale  for  such  things  as  self-diagnostic  systems  in  automobiles,  aircraft, 
and  even  electric  appliances  that  alert  the  owner  or  manufacturer  after  sensing  slight 
temperature  changes  or  other  small  deviations  that  could  indicate  a  mechanical  problem 
even  before  it  occurs.  Moreover,  it  is  done  for  protecting  computer  networks.''  But 


^  XML  is  a  flexible,  nonproprietary  set  of  standards  for  annotating  or  “tagging”  information  so  that  it  can  be 
transmitted  over  a  network  and  readily  interpreted  by  disparate  systems.  For  more  information  on  its 
potential  use  for  electronic  government  initiatives,  see  U.S.  General  Accounting  Office,  Electronic 
Government:  Challenges  to  Effective  Adoption  of  the  Extensible  Markup  Language,  GAO-02-327, 
(Washington,  D.C.:  April  2002). 

^  Intrusion  detection  systems  used  to  protect  computer  networks  are  built  based  on  data  on  normal  use  of 
system  and  network  activity  as  well  as  known  attack  patterns.  Deviations  are  discovered  based  on  data 
from  analyses  of  network  packets,  captmed  from  network  backbones  or  local  area  network  segments,  or 
data  sources  generated  by  the  operating  system  or  application  software. 
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doing  this  promises  to  be  an  extremely  complicated  endeavor  for  homeland  security. 

For  starters,  determining  what  is  normal  and  abnormal  activity  relative  to  terrorists 
would  be  difficult  because  it  would  require  developing  an  extensive  body  of 
knowledge — beyond  just  intelligence  information~to  build  a  baseline  for  terrorist  activity 
when  the  activity  itself  is  elusive,  fluid,  and  difficult  to  predict. 


Fortunately,  there  are  good  places  to  start  data  gathering  and  modeling.  Organizations 
known  as  Information  Sharing  and  Analysis  Centers  (ISACs)  are  already  collecting 
information  on  critical  aspects  of  our  infrastructure;  government  agencies  at  all  levels 
have  databases  that  may  be  adapted  and  become  useful  for  such  activities  as  tracking 
potential  terrorists  or  detecting  biological  attacks;  and  extensive  information  is  already 
being  collected  through  the  use  of  satellites  and  remote  sensing  technology  that  should 
be  useful  in  building  models  to  detect,  analyze,  and  respond  to  threats. 


Starting  Points 

•  Information  Sharing  and  Anaiysis  Centers  are  being  estabiished  to  deveiop  information  on 
the  nation’s  criticai  infrastructure,  specificaiiy,  information  to  identify  vuinerabiiities  and 
prevent  and  respond  to  attacks.  These  inciude  the  Nationai  Coordinating  Center  for 
Teiecommunications  and  the  Financiai  Services  Information  Sharing  and  Anaiysis  Center. 
In  September  2001,  we  reported  that  six  ISACs  within  five  infrastructures  had  been 
estabiished  and  that  at  ieast  three  more  were  being  formed. 

•  Federai  agencies,  such  as  the  Federai  Bureau  of  Investigation  (FBI),  the  Immigration  and 
Naturaiization  Service  (INS),  Customs,  Health  and  Human  Services,  already  have 
databases  containing  information  critical  to  homeland  security.  State  and  local 
governments  also  have  databases  that,  if  adapted,  will  be  useful,  such  as  those  belonging 
to  highway  and  transportation  departments,  county  health  departments,  and  school 
systems. 

•  Models  and  statistical  techniques  have  already  been  developed  by  the  military  to  analyze 
threats  and  provide  “gaming”  simulation  of  multiple-threat  scenarios.  In  addition,  agencies 
are  already  collecting  information  that  could  feed  into  these  models,  such  as  census  and 
weather  data;  aerial  mapping  of  cities  and  farmlands;  detailed  images  of  shipping  and 
transportation  routes;  and  maps  detailing  critical  infrastructure  and  their  capacities,  such  as 
telecommunications  and  utility  lines. 
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INFORMATION-SHARING  CHALLENGES 


What  Needs  to  Be  Done? 

•  Establish  effective  information-sharing  between  private-sector,  nonprofit,  and  government 
organizations  to  facilitate  research  and  development  efforts,  data  collection  efforts,  law 
enforcement  efforts,  and  efforts  to  respond  to  attacks. 

•  Ensure  that  security  measures  exist  to  protect  sensitive  information. 


Events  preceding  and  following  the  attacks  of  September  1 1  spotlighted  one  of  our  most 
serious  vulnerabilities.  We  do  not  share  information  effectively,  particularly  when  it 
comes  to  intelligence,  law  enforcement,  and  response  activities.  If  we  cannot  do  a  better 
job  of  sharing  information,  we  will  not  be  able  to  effectively  identify  vulnerabilities, 
develop  needed  technology,  and  coordinate  efforts  to  detect  and  respond  to  attacks. 

Federal  agencies  and  the  Congress  are  still  looking  into  the  specifics  of  information 
sharing-difficulties  related  to  the  September  1 1  attacks,  but  recent  reports  of 
information-sharing  failures  within  the  FBI  and  CIA  highlight  some  of  the  primary 
barriers  we  face:  stovepiped  organizational  structures,  inadequate  database  sharing,  and 
simple  “turf’  issues.  Legal  and  regulatory  impediments  may  have  made  information¬ 
sharing  even  more  difficult. 

This  problem  is  not  new.  Two  years  ago,  for  example,  we  testified  that  the  ILOVEYOU 
computer  virus,  which  affected  governments,  corporations,  media  outlets,  and  other 
institutions  worldwide,  highlighted  the  need  for  greater  information  sharing  and 
coordination  to  respond  to  attacks  on  our  critical  infrastructure.  Because  information¬ 
sharing  mechanisms  were  not  able  to  provide  timely  enough  warnings  against  the 
impending  attack,  many  entities  were  caught  off  guard  and  forced  to  take  their  networks 
off-line  for  hours.  Getting  the  word  out  within  some  federal  agencies  themselves  also 
proved  difficult.  At  the  Department  of  Defense,  for  example,  the  lack  of  teleconferencing 
capability  slowed  the  response  effort  because  Defense  components  had  to  be  called 
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individually.  The  National  Aeronautics  and  Space  Administration  had  difficulty 
communicating  w^amings  w^hen  E-mail  services  disappeared.  Some  departments  that 
received  warnings  did  not  share  that  information  with  their  bureaus. 

As  illustrated  below,  however,  the  problem  of  information  sharing  is  much  more 
extensive  than  just  sharing  information  about  an  impending  attack — it  extends  from  the 
early  stages  of  research  and  development,  to  collecting  data,  preventing  and  detecting 
attacks,  and  responding  to  attacks.  Barriers  themselves  extend  well  beyond  poor 
mechanisms  for  issuing  attack  warnings  or  communicating  calls  for  “heightened  alert.” 
For  example,  in  recent  discussions  with  us,  industry  officials  said  that  their  chief 
concern  in  sharing  information  about  vulnerabilities  and  attacks  is  disclosure  of 
proprietary  data.  Our  past  reviews  have  also  highlighted  concerns  about  roles  and 
responsibilities,  antitrust  violations,  and  national  security  as  barriers  to  sharing 
information. 


In  short,  there  are  formidable  challenges  that  need  to  be  overcome  to  build  a  more 
comprehensive  and  effective  information-sharing  relationships.*’  Trust  needs  to  be 
established  among  a  broad  range  of  stakeholders,  important  questions  on  the  mechanics 
of  information  sharing  and  coordination  need  to  be  resolved,  and  roles  and 
responsibilities  need  to  be  clarified  among  all  levels  of  government. 


Where  Information  Sharing 
Can  Potentially  Break  Down 

Government  efforts  to  sponsor 
research  and  development 
efforts  to  develop  new 
homeland  security  technologies 


•  Concerns  that  Inadvertent  release  of  confidential  business 
material,  such  as  attempted  or  successful  attacks,  gaps  In 
security,  or  trade  secrets  or  proprietary  Information,  could 
damage  reputations,  lower  consumer  confidence,  hurt 
competitiveness,  and  decrease  market  shares  of  firms. 


Why 

•  Intellectual  property  concerns  may  affect  the  willingness  to 
contract  with  the  government.  Including  poor  definitions  of 
what  technical  data  are  needed  by  the  government  and 
unwillingness  on  the  part  of  government  officials  to  exercise 
the  flexibilities  available  to  them  concerning  intellectual 
property  rights. 


For  more  information  about  barriers  to  information  sharing,  see  GAO/T-AIMD-00-268  and  U.S.  General 
Accounting  Office,  Intellectual  Property:  Industry  and  Agency  Concerns  Over  Intellectual  Property 
Rights,  GAO-02-723T,  (Washington,  D.C.:  May  10,  2002). 
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Where  Information  Sharing 
Can  Potentially  Break  Down 

Government  efforts  to  facilitate 
data  sharing  on  critical 
infrastructures 


Private  sector  efforts  to  get 
data  from  the  government  on 
potential  vulnerabilities  and 
threats 


Coordinating  law  enforcement 
and  intelligence  activities 


Issuing  attack  warnings  and 
responding  to  attacks 


Why 


Concerns  about  potential  antitrust  violations  may  keep 
companies  from  sharing  information  with  other  industry 
partners. 

Concerns  that  sharing  information  with  the  government  could 
subject  data  to  Freedom  of  Information  Act  disclosures  or 
expose  companies  to  potential  liability  may  also  prevent 
companies  from  sharing  data  with  government  agencies. 

National  security  concerns  may  prevent  agencies  from  sharing 
data  with  the  private  sector. 

The  process  of  declassifying  and  sanitizing  data  takes  time — 
possibly  too  long  to  be  of  use  to  private-sector  time-critical 
operations. 

Security  clearances  may  not  be  available  for  the  “right  people” 
who  need  to  know. 

Law  enforcement  and  intelligence  agencies  operate  in  “distinct 
universes”  separated  by  jurisdictional,  organizational,  and 
cultural  boundaries.  At  the  same  time,  however,  roles  and 
responsibilities  at  different  levels  of  government  are  not 
always  clear  and  distinct. 

Information  may  be  considered  too  sensitive  to  release  to  law 
enforcement  colleagues  because  it  could  compromise  source 
and  collection  techniques. 

Certain  laws  and  regulations  as  well  as  privacy  concerns  may 
prevent  information  sharing  between  federal  agencies,  state, 
and  local  law  enforcement  agencies. 

Insufficient  direction  about  what  specific  steps  should  be  taken 
when  security  alert  status  is  increased. 

Lack  of  access  to  databases  and  problems  with 
interconnectivity  may  impede  information  sharing  between 
agencies. 

Information-sharing  mechanisms  and  procedures  for  warning 
against  attacks,  especially  between  different  levels  of 
government,  may  be  inadequate. 

Roles  and  responsibilities  between  emergency,  rescue,  relief, 
and  recovery  organizations  may  not  always  be  clear, 
especially  at  different  levels  of  government. 


Because  information  sharing  was  a  critical  problem  in  other  crises  facing  the 
government,  there  are  some  very  good  models  to  learn  from  and  build  on.  The  ISACs 
mentioned  earlier  are  a  good  example  of  government  and  private-sector  relationships  for 
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information  sharing.  The  Centers  for  Disease  Control  and  Prevention  (CDC)  also  uses 
several  information-sharing  computer  systems  to  help  accomplish  its  mission  to  monitor 
health,  detect  and  investigate  health  problems,  and  conduct  research  to  enhance  the 
prevention  of  disease. In  addition,  actions  have  already  been  taken  by  the  Congress  and 
the  administration  to  strengthen  information  sharing.  The  USA  Patriot  Act,  for  example, 
enhances  or  promotes  information  sharing  between  federal  agencies,  and  numerous 
terrorism  task  forces  have  been  established  to  coordinate  the  investigations  and  improve 
communications  between  federal  and  local  law  enforcement  agencies.  Also,  very 
recently,  leading  financial  services  firms  in  New  York  formed  a  private  database 
company  that  will  compile  information  about  criminals,  terrorists,  and  other  suspicious 
people  for  use  in  screening  new  customers  and  weeding  out  those  who  may  pose  a  risk. 
The  company  will  specifically  focus  on  helping  financial  companies  comply  with  anti- 
money-laundering  regulations,  including  requirements  in  legislative  approved  after  the 
September  1 1  attacks.  Additional  private-sector  solutions  also  need  to  be  considered, 
such  as  current  research  efforts  to  link  airline  reservation  systems. 


Starting  Points 

•  The  Agora  is  a  Seattle-based  regional  network  of  over  600  professionals  representing  various  fields, 
including  information  systems  security;  law  enforcement;  local,  state,  and  federal  governments; 
engineering;  information  technology;  academics;  and  other  specialties.  Members  work  to  establish 
confidential  ways  for  organizations  to  share  sensitive  information  about  common  problems  and  best 
practices  for  dealing  with  security  threats.  They  develop  and  share  knowledge  about  how  to  protect 
electronic  infrastructures,  and  they  prompt  more  research  specific  to  electronic  information  systems 
security. 

•  Carnegie  Mellon  University’s  CERT  Coordination  Center  (CERT/CC)  is  charged  with  establishing  a 
capability  to  quickly  and  effectively  coordinate  communication  between  experts  in  order  to  limit 
damage,  respond  to  incidents,  and  build  awareness  of  security  issues  across  the  Internet 
community.  In  this  role,  CERT/CC  receives  Internet  security-related  information  from  system  and 
network  administrators,  technology  managers,  and  policymakers  and  provides  them  with  this 
information  along  with  guidance  and  coordination  to  major  security  events. 


’’  We  reported  in  September  2001  that  the  usefulness  of  several  of  these  systems  is  impaired  both  by  CDC’s 
untimely  release  of  data  and  by  gaps  in  the  data  collected. 
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TECHNOLOGY  CHALLENGES 


What  Needs  to  Be  Done? 

•  Research  and  develop  new  technologies  integral  to  the  fight  against  terrorism,  such  as 
bioweapon-  or  low-level-radioactive-weapons-detection  systems  and  biometric  devices. 

•  Refine  emerging  technologies  so  that  they  are  more  user  friendly  and  less  cost 
prohibitive. 

•  Adapt  existing  technologies  to  the  homeland  security  mission. 

•  Connect  and  make  interoperable  databases  integral  to  information  sharing,  such  as 
those  belonging  to  the  FBI  and  INS. 


This  is  one  area  where  we  certainly  have  an  edge  over  terrorists.  Newly  developed 
unmanned  aerial  vehicles  are  providing  intelligence  vital  to  military  efforts  in 
Afghanistan.  Satellite  networks  and  remote  sensing  technologies  are  facilitating 
assessments  of  threats  overseas  as  well  as  military  operations  and  guidance  systems  for 
weapons  systems.  However,  though  we  have  vast  technological  resources  available  on 
the  homefront,  there  are  substantial  challenges  confronting  us. 

•  Certain  technologies  important  to  homeland  security  have  not  been  developed. 

These  include  bioweapons-  and  low-level-radioactive-weapons-detection  systems  and 
disease  surveillance  systems. 

•  Some  technologies  already  in  existence  have  not  been  effectively  adapted  to 
homeland  security.  Space-based  satellites  and  sensors,  for  example,  are  being  used 
to  guide  weapon  systems,  map  cities,  and  study  the  weather  and  environment.  But 
they  also  may  be  adapted  to  the  homeland  security  mission.  Moreover,  some  experts 
believe  that  making  this  transition  may  require  modifications  to  current  technology, 
such  as  the  addition  of  video  features  so  that  we  can  observe  ground  activity  as  it  is 
changing.® 


See  Joseph  A.  Engelbrecht  Jr.,  “Global  Security  Will  Drive  Real-Time  Surveillance,”  Space  Imaging, 
(TVIay/June  2002). 
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.  There  is  a  lack  of  connectivity  and  interoperability  between  databases  and 
technologies  important  to  the  homeland  security  effort.  Databases  belonging  to 
federal  law  enforcement  agencies  and  INS,  for  example,  are  not  connected,  and 
databases  between  state,  local,  and  federal  governments  are  not  always  connected. 

In  fact,  we  have  reported  for  years  on  federal  information  systems  that  are 
duplicative  and  not  well  integrated.**  A  related  problem  is  that  there  are  not  common 
standards  for  data  exchange  and  application  programming  interfaces  for  technologies 
that  provide  physical  security.  As  a  result,  much  of  the  equipment  needed  to  protect 
buildings  is  not  interoperable.  We  recently  testified,  for  example  that  deploying  an 
access  control  system  that  uses  a  smart  card  containing  a  fingerprint  biometric  would 
require  at  least  three  pieces  of  equipment:  the  card  reader  device,  the  fingerprint 
scan  device,  and  the  hardware  device  used  to  house  and  operate  the  biometric 
software.  “  If  these  devices  are  made  by  different  manufacturers,  they  cannot 
function  as  an  integrated  environment  without  costly  additional  software  to  connect 
the  disparate  components. 

•  Some  existing  technologies  important  to  homeland  security  are  not  user-friendly. 

We  recently  testified  that  some  biometric  technologies  are  inconvenient  to  use.  “ 
Retina  scanning,  for  example,  feels  physically  intrusive  to  some  users  because  it 
requires  close  proximity  with  the  retinal  reading  device.  Moreover,  fingerprinting 
feels  socially  intrusive  to  some  users  because  of  its  association  with  the  processing  of 
criminals.  There  is  also  an  assortment  of  health  concerns  among  a  segment  of  the 
population  regarding  certain  security  technologies.  For  instance,  there  is  evidence 
that  pacemakers  and  hearing  aids  can  be  adversely  affected  by  some  detection 
technologies. 

See  U.S.  General  Accounting  Office,  Information  Technology:  Enterprise  Architecture  Use  across  the 

Federal  Government  Can  Be  Improved,  GAO-02-6,  (Washington,  D.C.:  February  2002). 

“See  U.S.  General  Accounting  Office.  National  Preparedness:  Technologies  to  Secure  Federal  Buildings, 

GAO-02-687T,  (Washington,  D.C.:  April  25,  2002). 

“See  GAO-02-687T. 
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•  The  capabilities  of  security  technologies  can  be  overestimated,  potentially  luring 
security  officials  into  a  false  sense  of  security  and  relaxed  vigilance.  During  our 
recent  review  of  federal  building  security  technologies,  we  found  instances  in  which 
the  performance  of  biometric  technologies  was  overestimated.^^ 

Because  of  our  nation’s  substantial  investment  in  technology  and  research  and 
development,  there  are  numerous  good  starting  points  for  developing  and  harnessing 
technology  needed  for  the  homeland  security  mission.  Significant  advances,  for 
example,  have  already  been  made  in  technologies  needed  to  protect  buildings,  airports, 
and  other  facilities.  We  also  have  a  good  technological  foundation,  including  space- 
based  satellites,  imagery,  and  remote  sensing  systems,  to  begin  developing  systems  for 
effectively  monitoring  and  gauging  terrorist  activities. 

Additionally,  the  administration  is  promoting  a  host  of  new  initiatives  to  acquire  the 
technologies  needed  for  homeland  security.  For  example,  projects  already  under  way 
include  the  following: 

.  Taking  stock  of  what  technologies  are  already  available  and  what  gaps  exist. 

•  Assessing  what  changes  are  needed  to  federal  databases  to  facilitate  information 
sharing. 

.  Efforts  to  develop  protocols  to  permit  the  access  of  databases  and  information 
owned  by  federal  agencies  as  well  as  state  and  local  authorities. 

.  Developing  an  optimized  entry-exit  system  for  border  security. 

•  Assessing  biometric  technology  options. 


See  GAO-02-687T. 
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starting  Points 


Continue  to  Develop  and  Refine  Emerging 

Technology 

•  Some  of  the  emerging  biometric  devices, 
such  as  iris  scans  and  faciai  recognition 
systems,  theoreticaiiy  represent  a  very 
effective  security  approach  because 
biometric  characteristics  are  distinct  to  each 
individuai  and,  uniike  identification  cards 
and  pin  numbers  or  passwords,  they  cannot 
be  easiiy  iost,  stoien,  or  guessed.  Untii 
recentiy,  in  addition  to  being  very  expensive, 
the  performance  of  most  biometric 
technoiogies  had  unreiiabie  accuracy. 
However,  prices  have  significantiy 
decreased  and,  after  years  of  research,  the 
technoiogy  has  recentiy  been  improved 
considerabiy. 


Retina 


Optic  Nerve 


Pupil 

Lens 


Iris  scan  technology  is  based  on  the  unique  visible 
characteristics  of  the  eye’s  iris,  the  colored  ring  that 
surrounds  the  pupil.  A  high-resolution  digital  image  of  the 
iris  is  taken  to  collect  data.  The  system  then  defines  the 
boundaries  of  the  iris,  establishes  a  coordinate  system  over 
the  iris,  and  defines  the  zones  for  analysis  v\/ithin  the 
coordinate  system.  The  visible  characteristics  within  the 
zone  are  then  converted  into  a  512-byte  template. 


Adapt  potentially  useful  existing  technology 

•  Combining  geospatiai  digitai  information 
toois,  inciuding  remote  sensing  and  sateiiite 
imagery  technoiogy,  can  assist  efforts  to 
modei  threat  prevention  and  response 
scenarios  and  buiid  baseiines  of  normai 
activities  and  detect  deviations  from  the 
norm.  The  same  information  can  aiso  be 
used  to  respond  to  a  successfui  attack  and 
assist  in  crime  scene  investigation.  This 
technoiogy  is  aiready  being  used  to  pian 
and  execute  miiitary  operations  and  anaiyze 
threats  overseas,  as  weii  as  to  map  cities, 
study  the  environment  and  weather,  monitor 
transportation  and  shipping  routes,  monitor 
compiiance  with  iaws,  reguiations  and 
treaties,  and  modei  differing  scenarios  to 
assist  in  pianning  and  prevention. 


Satellite  photo  with  geospatial  digitized  overlay. 
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Make  Good  Use  of  Low  Tech  Alternatives 

•  New  ionization  radiation  technoiogies  that 
the  United  States  Postai  Service  (USPS)  is 
impiementing  may  be  a  promising  way  to 
sanitize  maii  contaminated  by  anthrax,  but 
there  are  proven  iow-tech  solutions  that 
should  still  be  considered,  such  as  manual 
mail-handling  procedures  to  presort 
nonanonymous  mail  to  reduce  the  volume 
that  would  require  higher  tech  irradiation 
techniques. 

•  New  high-tech  explosive  detection  systems 
can  be  used  to  detect  bulk  or  trace 
explosives  concealed  in,  on,  or  under 
vehicles,  containers,  packages,  and 
persons.  However,  dogs  are  also  an 
effective  and  time-proven  tool  for  detecting 
concealed  explosives.  The  dogs  currently 
used  by  Defense,  for  example,  can  detect 
nine  different  types  of  explosive  materials. 
And  since  dogs  have  the  advantage  of 
being  mobile  and  able  to  follow  a  scent  to  its 
source,  they  have  the  significant  advantage 
over  mechanical  explosive  detection 
systems  in  any  application  that  involves  a 
search. 


Security  dogs  may  be  more  cost  effective  and 
easier  to  depioy  than  new  high  tech  expiosive 
detection  systems 


MECHANISMS  NEEDED  TO  EFFECTIVELY 
RESPOND  TO  CHALLENGES 


What  Needs  to  Be  Done? 

•  Apply  risk  management  principles  to  identify  assets  that  need  to  be  protected  to  maintain 
continuity  of  operations,  as  well  as  threats,  vulnerabilities,  risks,  priorities,  and  countermeasures. 

•  Use  this  understanding  to  develop  a  blueprint,  or  architectural  construct,  that  defines  the 
information,  technologies,  and  approaches  necessary  to  perform  the  homeland  mission. 

•  Assign  responsibilities  among  the  stakeholders  so  that  everyone  is  not  doing  the  same  thing,  but 
instead  all  are  doing  something  slightly  different  that  together  forms  a  more  effective  shield. 

•  Establish  analytical  and  warning  capabilities. 

•  Create  performance  goals  and  metrics,  and  feedback  and  accountability  mechanisms,  so  that 
efficacy  of  investments  and  efforts  may  be  measured  and  programs  continually  improved. 
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The  overriding  challenge  for  homeland  security,  of  course,  is  how  to  prevent,  detect,  and 
respond  to  attacks.  Technology  and  information  are  critical  enablers,  but  they  are  not 
the  sole  answer.  Significant  issues  involving  people  and  approaches  also  need  to  be 
dealt  with.  For  example,  people — the  majority  of  whom  will  never  witness  a  terrorist 
event-will  be  required  to  be  able  to  sense  relevant  minute  changes  from  normal  activity 
that  could  alert  them  to  the  possibility  of  a  threat.  They  will  also  be  required  to  work 
together  to  implement  policies,  processes,  and  procedures  that  serve  as 
countermeasures  to  identified  risks.  To  do  so  effectively,  they  will  need  information 
about  what  additional  concrete  things  they  must  do  when  new  threat  information 
becomes  available.  In  addition,  because  there  are  thousands  of  individuals  and 
organizations  involved  in  detecting,  preventing,  and  responding  to  attacks  and  numerous 
projects  being  initiated,  measures  need  to  be  taken  to  prevent  redundancy  and 
inefficiency  in  homeland  security  efforts. 

To  be  truly  effective,  however,  the  homeland  security  strategy  needs  to  go  beyond 
promoting  redundancy  and  efficiency  to  finding  innovative  approaches  to  homeland 
security  activities — ones  that  fully  optimize  skills,  capabilities,  and  available  resources. 
The  asymmetrical  threat  we  face  demands  that  we  act  in  accordance  with  the  Marines’ 
operation  motto:  “Improvise,  Adapt,  Overcome.”  In  fact,  expeditionary  forces  within  the 
military  provide  a  good  example  of  how  we  can  find  new  approaches  by  capitalizing  on 
technology,  skills  and  capabilities,  and  flexibility.  These  are  forces  that  are  designed, 
trained,  and  organized  in  a  fashion  very  different  from  that  of  conventional  forces,  which 
previously  relied  on  highly  structured  and  standardized  approaches  to  war-fighting  and 
require  considerable  infrastructure  in  their  deployments.  In  the  Navy  and  the  Marine 
Corps,  for  instance,  expeditionary  forces  have  the  ability  to  go  rapidly  and  easily  to 
places  where  there  is  no  infrastructure  to  operate  on  their  arrival  because  they  carry 
their  infrastructure  in  the  holds  of  ships  and  on  their  back.  The  forces  are  trained  to  be 
self-reliant,  self-sustaining,  highly  adaptable,  and  adept  in  the  most  austere 
environments.  Because  they  are  uniquely  positioned  and  organized  to  accomplish  a  wide 
range  of  missions,  including  long-range  strike  operations  and  early  forcible  entry  to 
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facilitate  or  enable  the  arrival  of  follow-on  forces,  they  have  been  used  in  a  wide  range  of 
missions  for  decades. 

Starting  Points 

There  are  some  very  good  starting  points  for  addressing  all  of  these  challenges  as  well  as 
the  need  to  integrate  solutions  to  information-sharing  and  technology  problems.  These 
include  applying  risk  management  principles  to  identifying  security  priorities  and 
implementing  appropriate  solutions;  developing  an  architecture  for  homeland  security; 
developing  analytical  and  warning  capabilities;  and  establishing  goals  and  performance 
measures  and  accountability  mechanisms. 

Risk  Management  Principles 

Risk  management  principles  should  be  applied  to  analyze  and  identify  assets  that  need  to 
be  protected  to  maintain  the  continuity  of  critical  operations,  as  well  as  threats, 
vulnerabilities,  risks,  priorities,  and  countermeasures.  It  may  seem  ideal  to  employ 
extreme  security  measures  that  cover  every  risk  imaginable.  But  the  reality  is  that  this 
cannot  be  done,  either  because  doing  so  could  disrupt  operations  and  adversely  affect 
the  safety  of  citizens  or  the  economics  of  our  businesses,  or  merely  be  impractical  from  a 
resources  standpoint.  Our  previous  reports  on  homeland  security  and  information 
systems  security,  have  shown  that  risk  management  principles  can  provide  a  sound 
foundation  in  identifying  security  priorities  and  implementing  appropriate  solutions. 
These  principles,  which  have  been  followed  by  members  of  the  intelligence  and  defense 
community  for  many  years,  can  be  reduced  to  five  basic  steps  that  help  to  determine 
responses  to  five  essential  questions: 


“  See  U.S.  General  Accounting  Office,  Homeland  Security:  A  Risk  Management  Approach  Can  Guide 
Preparedness  Efforts,  GAO-02-208T  (Oct.  31,  2001)  and  Information  Security  Management:  Learning 
From  Leading  Organizations,  GAO/AIMD-98-68  (May  1998). 
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The  first  step  in  risk  management  is  to  identify  assets  that  must  be  protected  to  maintain 
continuity  of  critical  operations  and  the  impact  of  their  potential  loss.  The  second  step  is 
to  identify  and  characterize  the  threat  to  these  assets.  Is  the  threat,  for  example,  that 
unauthorized  individuals  can  gain  access  to  the  building  to  commit  some  crime,  or  more 
menacing,  that  a  terrorist  will  introduce  a  chemicalA)iological  agent  or  even  a  nuclear 
device  into  the  building.  Step  three  involves  identifying  and  characterizing 
vulnerabilities  that  would  allow  identified  threats  to  be  realized.  In  other  words,  what 
weaknesses  can  allow  a  security  breach?  In  the  fourth  step,  risk  must  be  assessed  and 
priorities  determined  for  protecting  assets.  Risk  assessment  examines  the  potential  for 
the  loss  or  damage  to  an  asset.  Risk  levels  are  established  by  assessing  the  impact  of  the 
loss  or  damage,  threats  to  the  asset,  and  vulnerabilities.  The  final  step  is  to  identify 
countermeasures  to  reduce  or  eliminate  risks.  In  doing  so,  the  advantages  and  benefits 
of  these  countermeasures  must  also  be  weighed  against  their  disadvantages  and  costs. 

In  prior  reports,  we  have  recommended  that  the  federal  government  conduct 
multidisciplinary  and  analytically  sound  threat  and  risk  assessments  to  define  and 
prioritize  requirements  and  properly  focus  programs  and  investments  in  combating 
terrorism.  Without  the  benefits  that  these  assessments  provide,  many  agencies  have 


See  U.S.  General  Accounting  Office,  Combating  Terrorism:  Selected  Challenges  and  Related 
Recommendations,  GAO-01-822,  (Washington,  D.C.:  Sept.  20,  2001);  Homeland  Security:  Key  Elements  of 
a  Risk  Management  Approach,  GAO-02-150T,  (Washington,  D.C.:  Oct.  12,  2001);  Combating  Terrorism: 
Threat  and  Risk  Assessments  Can  Help  Prioritize  and  Target  Program  Investments,  GAO/NSIAD-98-74, 
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been  relying  on  worst-case  chemical,  biological,  radiological,  or  nuclear  scenarios  to 
generate  countermeasures  or  establish  their  programs.  By  using  these  worst-case 
scenarios,  the  federal  government  is  focusing  on  vulnerabilities  (which  are  unhmited) 
rather  than  credible  threats  (which  are  limited). 

Homeland  Security  Architecture 

The  federal  government  should  develop  a  blueprint,  or  architecture,  that  defines  both  the 
homeland  security  mission  and  the  information,  technologies,  and  approaches  necessary 
to  perform  the  mission  in  a  way  that  is  divorced  from  organizational  parochialism  and 
cultural  differences.  This  would  need  to  be  based  on  the  outcome  of  a  risk  assessment 
along  with  a  good  understanding  of  the  roles  and  responsibilities  of  individuals  involved 
in  the  homeland  security  mission.  The  Office  of  Homeland  Security  has  acknowledged 
that  an  architecture  is  an  important  next  step  because  it  can  help  identify  shortcomings 
and  opportunities  in  current  homeland-security-related  operations  and  systems,  such  as 
duplicative,  inconsistent,  or  missing  information.  Of  course,  while  the  federal 
government  can  develop  the  construct  for  homeland  security,  it  will  be  up  to  state  and 
local  governments  to  carry  it  out,  with  a  great  deal  of  assistance  from  the  private  sector. 

Specifically,  the  architecture  should  describe  homeland  security  operations  in  both  (1) 
logical  terms,  such  as  interrelated  processes  and  activities,  information  needs  and  flows, 
and  work  locations  and  users,  and  (2)  technical  terms,  such  as  hardware,  software,  data, 
communications,  and  security  attributes  and  performance  standards.  It  should  provide 
these  perspectives  both  for  the  current  or  “as  is”  environment  and  for  the  target  or  “to 
be”  environment  as  well  as  a  transition  plan  for  moving  from  the  “as  is”  to  the  “to  be” 
environment.  A  particularly  critical  function  of  an  architecture  for  homeland  security 
would  be  to  establish  protocols  and  standards  for  data  collection  to  ensure  that  data 
being  collected  are  usable  and  interoperable-and  to  teh  people  what  they  need  to  collect 

(Washington,  D.C.:  Apr.  9,  1998)  and  Combating  Terrorism:  Need  for  Comprehensive  Threat  and  Risk 
Assessments  of  Chemical  and  Biological  Attack,  GAO/NSIAD-99-163,  (Washington,  D.C.:  Sept.  7,  1999). 
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and  monitor. 


Many  organizations  have  successfully  developed  enterprise  architectures,  though  on  a 
much  smaller  scale,  and  have  found  that  doing  so  promotes  better  planning  and 
decisionmaking;  prevents  the  building  of  redundant  systems;  facilitates  the  management 
of  extensive,  complex  environments;  improves  communication  and  information  sharing; 
focuses  on  the  strategic  use  of  emerging  technologies;  and  achieves  economies  of  scale 
by  providing  mechanisms  for  sharing  services.  Our  experience  with  federal  agencies  has 
shown  that  managed  properly,  architectures  can  clarify  and  help  optimize 
interdependencies  and  interrelationships  between  related  enterprise  operations  and  the 
underlying  technology  infrastructure  and  applications  that  support  them. 

Readily  available  frameworks  could  be  used  in  developing  an  architecture  for  homeland 
security.  These  include  Defense’s  C4ISR  Architecture  Framework,  the  Department  of 
Treasury’s  Enterprise  Architecture  Framework,  and  the  Federal  Enterprise  Architecture 
Framework,  published  by  the  Federal  Chief  Information  Officers  (CIO)  Council.  In 
addition,  the  CIO  Council,  Office  of  Management  and  Budget,  and  GAO  have 
collaborated  in  producing  guidance  on  the  content,  development,  maintenance,  and 
implementation  of  architectures.^*^ 

Analytical  and  Warning  Capabilities 

Analytical  and  warning  capabilities  should  be  developed  to  detect  precursors  to  terrorist 
attacks  so  that  advanced  warnings  can  be  issued  and  protective  measures  implemented. 
Since  the  1990s,  the  national  security  community  and  the  Congress  have  identified  the 
need  to  establish  analytical  and  warning  capabilities  to  protect  against  strategic 
computer  attacks  against  the  nation’s  critical  computer-dependent  infrastructures.  Such 
capabilities  involve  (1)  gathering  and  analyzing  information  for  the  purpose  of  detecting 
and  reporting  hostile  or  otherwise  potentially  damaging  actions  or  intentions  and  (2) 

‘'^See  Chief  Information  Officer  Council,  A  Practical  Guide  to  Federal  Enterprise  Architecture,  Version  1.0, 
(Washington,  D.C.:  Feb.  2001). 
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implementing  a  process  for  warning  policymakers  and  allowing  them  time  to  determine 
the  magnitude  of  the  related  risks.  In  April  2001,  we  reported  on  the  National 
Infrastructure  Protection  Center’s  progress  in  developing  such  mechanisms  for 
computer-based  attacks  and  impediments,  which  include  a  lack  of  a  generally  accepted 
methodology  for  strategic  analysis  of  cyber  threats  to  infrastructures,  inadequate  data  on 
infrastructure  vulnerabilities,  and  a  lack  of  needed  staff  and  expertise.  Similar 
approaches  should  be  developed  for  other  homeland  security  priorities. 

Goals  and  Performance  Measures  and  Accountability  Mechanisms 

Goals  and  performance  measures  and  accountability  mechanisms  should  be  established 
not  only  to  guide  the  nation’s  preparedness  efforts  but  to  assess  how  well  they  are  really 
working.  The  Congress  has  long  recognized  the  need  to  objectively  assess  the  results  of 
federal  programs.  For  the  nation’s  preparedness  programs,  however,  the  outcomes  of 
where  the  nation  should  be  in  terms  of  domestic  preparedness  have  yet  to  be  defined. 
Given  the  recent  and  proposed  increases  in  preparedness  funding  as  well  as  the  need  for 
real  and  meaningful  improvements  in  preparedness,  establishing  clear  goals  and 
performance  measures  are  critical  to  ensuring  both  a  successful  and  fiscally  responsible 
effort.  As  we  testified  earlier  this  year,  without  measurable  objectives,  policymakers 
would  be  deprived  of  the  information  they  need  to  make  rational  resource  allocations, 
and  program  managers  would  be  prevented  from  measuring  progress.  In  our  earlier 
testimony,  we  highlighted  the  recommendation  of  one  expert  with  the  Office  of 
Homeland  Security  that  the  government  should  develop  a  new  statistical  index  of 
preparedness,  incorporating  a  range  of  different  variables,  such  as  quantitative  measures 
for  special  equipment,  training  programs,  and  medicines,  as  well  as  professional 
subjective  assessments  of  the  quality  of  local  response  capabilities,  infrastructure,  plans, 
readiness,  and  performance  in  exercises.  The  index  could  go  well  beyond  current 


“See  U.S.  General  Accounting  Office,  Critical  Infrastructure  Protection:  Significant  Challenges  in 
Developing  National  Capabilities,  GAO-01-323,  (Washington,  D.C.:  Apr.  25,  2001). 


"See  U.S.  General  Accounting  Office,  Combating  Terrorism:  Critical  Components  of  a  National  Strategy 
to  Enhance  State  and  Local  Preparedness,  GAO-02-548T  (Washington,  D.C.:  Mar.  25,  2002). 
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rudimentary  milestones  of  program  implementation  to  capture  indicators  of  how  well  a 
particular  city  or  region  could  actually  respond  to  a  serious  terrorist  event. 


In  conclusion,  developing  a  comprehensive  and  sustainable  homeland  security  strategy  is 
a  formidable,  even  unprecedented  task.  Because  of  the  nature  of  the  threat,  the  scope  of 
the  things  that  need  to  be  done  are  seemingly  endless.  There  are  significant  challenges 
on  a  variety  of  fronts,  particularly  in  making  sure  that  the  right  information  gets  to  the 
right  people  at  the  right  time  and  in  making  good  use  of  technology.  Moreover,  any 
solution  must  be  national  in  nature,  not  just  a  federal  strategy,  since  over  80  percent  of 
nation’s  infrastructure  is  privately  owned,  and  state  and  local  government  are  the  front 
line  defenders  and  responders  in  the  fight  against  terrorism.  While  there  are  no  quick 
fixes  or  “silver  bullet”  single  solutions,  there  are  good  starting  points  for  addressing 
specific  areas  of  challenges  as  well  as  for  weaving  solutions  together  to  develop  an 
integrated  framework  for  preventing,  detecting,  and  responding  to  attacks. 

Even  with  these  mechanisms  in  place,  however,  there  will  still  be  a  need  for  strong 
leadership  on  the  part  of  the  federal  government  and  the  Congress  not  just  to  provide  the 
resources,  expertise,  and  training  needed  carry  out  the  strategy,  but  to  work  through 
concerns  and  barriers,  develop  trust  relationships,  make  sure  things  are  working  as  they 
should,  and  most  importantly,  sustain  national  attention  to  the  problem. 


Mr.  Chairman,  this  concludes  my  statement.  I  would  be  happy  to  answer  any  questions 
that  you  or  members  of  the  subcommittee  may  have. 
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Attachment 


Attachment 


Building  Tools  to  Detect  and  Assess  Terrorist  Threats 


Getting  information  to  the  right  peopie  at  the  right  time  is  criticai,  but  we  aiso  need  an  inteiiigent  strategy  to 
integrate  the  information.  One  way  is  to  buiid  baseiines  of  normai  activity  and  mechanisms  that  wiii  enabie  us  to 
effectiveiy  detect  deviations  or  anomaiies  that  wouid  indicate  threats  and  how  serious  they  may  be. 

First  step:  Use  Existing  Technology 

Intrusion  detections  systems  are  aiready  being  used  to  protect  criticai 
computer  networks.  These  systems  are  buiit  based  on  data  on  normai  use  of 
system  and  network  activity  as  weii  as  known  attack  patterns.  Deviations  are 
discovered  based  on  data  from  anaiyses  of  network  packets,  captured  from 
network  backbones  or  iocai  area  network  segments,  or  data  sources 
generated  by  the  operating  system  or  appiication  software. 

Next  step:  Apply  the  Same  Know-How  to  Protect  Other  Infrastructures 

For  exampie,  security  information  systems  can  be 
buiit  to  assess  threats  to  air  travei.  Data  couid  be 
drawn  from  government  watch  iists  and  airiine 
reservations  systems.  Deviations  couid  be  identified 
by  matching  names  from  reservation  systems  to 
government  watch  iists  or  by  detecting  unusuai 
patterns  in  travei  or  reservations. 


The  Challenge  Ahead 

Building  systems  to  predict  and  detect  deviations  on  larger 
scale,  for  example,  to  protect  major  cities.  This  wiii  be  an 
extremeiy  compiex  and  difficuit  endeavor.  For  starters, 
determining  what  is  normai  and  abnormai  activity  reiative  to 
terrorist  activity  wouid  be  difficuit  because  it  wouid  require 
deveioping  an  extensive  body  of  knowiedge — beyond  just 
inteiiigence  information — to  buiid  a  baseiine  for  terrorist  activity 
when  the  activity  itseif  is  eiusive,  fluid,  and  difficuit  to  predict. 

Technoiogies  that  can  be  used  in  this  regard  inciude  geospatiai 
digitai  information  toois,  inciuding  remote  sensing  and  sateiiite 
imagery  technoiogy. 


Retina 


Optic  Nerve 


Pupil 

Lens 


Iris  scan  technology  is  based  on  the  unique 
characteristics  of  the  eye’s  iris,  the  colored  ring  that 
surrounds  the  pupil. 
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Developing  other  new  technologies  needed  to  detect  and 
protect  people,  buildings,  and  critical  infrastructures  from 
attack.  This  inciudes 

•  Bioweapons-  and  iow-ievei-radioactive-weapons-detection 
systems 

•  Disease  surveiiiance  systems 

•  Biometric  devices,  such  as  iris  scans  and  faciai  recognition 
systems,  faciai  recognition  systems,  and  speaker 
verification  systems. 
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